Cloudflare Zero Trust Token
Service Name: Cloudflare Zero Trust
Service Description: Cloudflare Zero Trust is a security platform that helps organizations secure their applications, networks, and employees using Cloudflare's global network. It provides secure access to internal and external resources through identity verification and context-based authentication.
Service Address: https://www.cloudflare.com/zero-trust/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured through Cloudflare Access policies and Gateway rules.
Secret Access Scope: Grants programmatic access to Cloudflare Zero Trust services, including the ability to manage access policies, identity providers, and device posture checks.
Secret Revokement URL: https://dash.teams.cloudflare.com/
Secret Example: CF- ZT_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI 6IkNsb3VkZmxhcmUgWmVybyBUcnVzdCIsImlhdCI6MTUxNjIzOTAyMn0
Suspicious Activity Investigation Instructions:
- Review Cloudflare Zero Trust logs for unusual access patterns or policy changes.
- Check for unauthorized device connections or access attempts.
- Monitor for changes to access policies or identity provider configurations.
- Review audit logs for administrative actions taken with the token.
- Verify if the token was used from unusual geographic locations or outside normal business hours.
Mitigation Instructions:
- Log in to the Cloudflare Zero Trust dashboard at https://dash.teams.cloudflare.com/
- Navigate to Settings > Account > API Tokens
- Locate the compromised token and click "Revoke"
- Generate a new token with appropriate permissions if needed
- Review and update access policies to ensure they follow the principle of least privilege
- Consider implementing additional security measures such as IP restrictions or device posture checks
- Update any applications or services that were using the revoked token with the new token